Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
There is a lot of shared code, particularly all of the Koei games have the built-in virtual machine + a standard C library in their Root page, so it is a lot faster going now that I worked most of it out already.
I can do this same trick of blanking the program counter to read the zero page as code in L'Empereur, but I haven't worked out a way of writing a payload there yet.
This + L'Empereur are probably by far the easiest Koei games to pull this off because of they make the most use of linked lists which allow for direct writing to specific RAM addresses. The other games still have corruptible pointers in the save data but not nearly as much control over what I can do with them.
At least Uncharted Waters lets you enter in custom names + starting stats so those are potential payloads.
Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
Working on a save corruption route for this game now.
Like L'Empereur it uses linked lists which are abusable. Unfortunately there doesn't seem to be a specific RAM address that triggers the ending like in L'Empereur, so in order to trigger the ending I had to perform a very rudimentary ACE.
Again I used a mid-frame reset to create a General pointing to controller input & using that began writing code (in the Koei bytecode) to a section of the zero page that seems to be unused.
Then, by making an officer @ $0006 and sending it to an empty province, this causes the game to treat it as the only entry in a linked list which means setting it to 0x0000. This is the address for the virtual machine's program counter, so once you do this the game will begin processing all of the values on the zero page as code. Eventually it will get to the code you've written & perform the function call for the ending.
Very unoptimized for now (5 1/2 minutes), due to the way the game handles appending linked lists I had to do some very specific setups to write to zero page and not crash the game.
Link to video
Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
Yes, they all lead into each other.
In Scenarios 1/2 you aren't the ruler yet so you only have partial control. You can advance to the next Scenario after you control a certain number of cities + centers of power (important cities). Alternatively in Scenario 2 you can go on an Egyptian expedition event, if you succeed (get the Rosetta stone) you can then immediately go to Paris to advance to Scenario 3.
The only variation you can get in the ending I think, is that the first quote is said by whoever your wife is at the time (it won't appear at all if you win the game before your first marriage or between marriages), & the subsequent quotes have different portraits depending on who the other current leaders are.
Also, in the other releases of this game there's a very difficult Scenario 5 that is unlocked if you get a game over from Napoleon getting captured. The game doesn't contain the starting data for Scenario 5 or any way to unlock it but the code/data pertaining to it is still intact.
In fact if you change the scenario (0x6FEA) to 5 you can see that it causes every nation in the game to try to break off ties with you, eventually every nation you aren't allied with will be at war with you.
Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
warmCabin wrote:
Linked lists! Finally putting that computer science degree to good use! Was there a chance that you'd end up with an unlucky series of pointers that overflows the menu and crashes or something?
Yeah, there are several actions you can try to take that will cause the game to crash when trying to load the officer list, including AI turns when it's scanning through the officer lists of hostile neighbor cities. I'm guessing it's because it gets stuck in a permanent loop trying to traverse the officer list. The path it takes through RAM & whether it gets stuck in a loop probably depends on which ROM page is loaded into the RAM banks at the time. It now occurs to me that you could probably circumvent this by making sure controller input points to a zero value on the critical frame.
My first attempt to set the ending flag was to set a glitched officer's number of men horses or cannons to 3 but that ended up crashing, but then I figured out the Ball event which is way faster anyway.
Sometimes when you attempt the Ball it will immediately crash afterwards and/or display graphical glitching. You can actually see a graphical glitch occur at the moment the bonuses are applied during the Ball.
Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
The current RTA record, it has some tech that improves the TAS:
https://www.youtube.com/watch?v=tqAWeoQDWds
I'm redoing the TAS to work in the death warps. I'm managing to shave off some extra frames from my previous attempt too.
* saved some time in the first bridge section by discovering it's possible to fly all the way across the final gap - completely overlooked the possibility before, likely requires a specific subpixel range
* saved more time with lag management in the river of fire (still did the RNG manip but with more efficient movement)
I'm going to end up doing a different route in the Forest now (the RTA takes a death inside the tunnel which spawns you at the top, so I won't have to worry about conserving health)
Sorry I'm not sure what you meant by getting the platforms to line up
Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
http://tasvideos.org/userfiles/info/56270277622377794
Another 400 frames cut (565 total) at the end of Boss 2.
Notes:
-Got the enemies in the overworld fight to appear even sooner w/ RNG manip
-If you have the health to spare, you can get across spike tiles slightly faster than flying over by turning left at the last frame to damage boost across them.
-Manipulated the green platform enemies not to shoot any projectiles to cut down on lag
-Big changes in forest stage. In addition to manipulating the green platforms I also manipulate the floating beetle enemies' spawn patterns so they lag the game less. More time saved in the wind tunnel area; I go out of my way to grab the heart so that I have another point of damage to damage boost through the spikes at the end (credit to WhiteHat94)
-Boss 2 pattern is basically identical to published TAS but I cut off 3 frames
Edit: OK I finally got around to watching WhiteHat94's RTA run & I see all the death warps he does that I didn't work into my current WIP at all.
So I will probably have to redo most of what I did so far, unless the consensus is to avoid death abuse for entertainment value?
Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
Doing some subpixel/lag management, ahead by 165 frames at the end of boss 1.
http://tasvideos.org/userfiles/info/56066491035663965
Will work on optimizing the boss further.
Notes so far:
* Like other Capcom games the x/y subpixels are retained between levels so I try to max these out at the end of each stage
* Can get a small zip up by jumping part of the way into a semi-solid tile like a tree branch
* Hooded enemy RNG = how close you can get before they pop out of the ground
* Bird RNG = which of 3 flight patterns they use when you get close
* You can stand safely on the very edge of damage tiles
Boss:
* Jumps up to the first platform after 2 seconds or when you press B. So if you fire a quick shot to the left you can get him to approach you earlier.
* Uses Firebrand's animation counter as part of the calculation for determining whether to attack or jump, so you can alter your movement to manip this. Assuming other enemies in the game do this too.
Here is the Lua script WIP for fceux (sorry I'm a sloppy coder)
http://tasvideos.org/userfiles/info/56066520232591776
Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
ok in this example just off-screen there is a set of old tile data that hasn't been overwritten yet
It gets written over with the new tile data 2 tiles at a time
In order to do the arrow glitch there needs to be a very small gap between the edge of the screen and the old tile data so the arrow can interact w/ it without going too far off screen and despawning
the lower on the screen the old tile data is the closer you're able to get to it before it's written over
Edit: there are actually two spots I see where it work to save time:
Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
Thanks, I was able to see the tiles & replicate the glitch in BizHawk.
Unfortunately I think it's only possible to do this on the bottom 3 rows of visible tiles on a screen since the bottom tiles are the ones that get overwritten last as the screen scrolls so they're the only ones you can get a arrow close enough to leftover tile data without the arrow despawning.
Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
The tile properties are in an array in memory @ $600, this is what is used for all collision checks including the tile hitting a wall.
The above glitch probably happens because prior to it being overwritten by the screen scroll, there's tile data just offscreen representing a solid tile & if your values line up just right you can get the arrow to stick onto it without either a) the tile being overwritten by the screen scroll or b) the arrow despawning from being too far to the right.
I wrote a script hoping to see that tile but if it's there it's cut off by the emu view.
Is there an easy way to view gui drawings past the actual game view?
Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
I have been reading about games that don't initialize all of their RAM properly & I was hoping to learn more info about how the memory values start out. Are they essentially assigned random byte values (00-FF) or are there certain values that are more common or impossible?
I was still thinking about the pre-beaten boss incident w/ Blaster Master JP (Meta Fight) & I saw that the way the game knows if it's performing a soft reset is if #$23 is written into $3F4; otherwise the game knows to clear out memory $000-$7FFF. However it seems to me that if you happened to have a boot-up state where this memory address just happened to be #$23, the game would mistake a power-on for a soft reset & retain whatever happened to be initially set for its other flags.
Does this make sense or am I misunderstanding how this works?
Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
I translated the page enough to figure out the Stage 1 glitch. You jump to grab the vine the last possible frame so that it's simultaneous w/ getting killed by the Snapjaw enemy.
https://twitter.com/Dugongue/status/1102465399369666560
Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
They don't seem to work on FDS. I think this version is ported from PRG1.
If you attempt the glitch of holding down while jumping on the vine in the later revision DK Jr just gets permanently stuck
Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
http://www.aurora.dti.ne.jp/rap/g.donjr.html
There are some explanations for the glitches in the original revision for anyone who reads Japanese better than I do
They refer to the original PRG0 revision as "830404" from the six-digit ID on the original Famicom pressing.
Seems like if I check out Japanese web sources I could find more revision differences for NES games that aren't yet documented in any English-language sources.
Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
Apparently the Japanese version of the game is even more glitched than I thought:
https://www.youtube.com/watch?v=hEf7iI3b34shttps://www.youtube.com/watch?v=rdju8pUn43w
Some of these involve holding down on the D-Pad as you grab the vine close to the top
Glitches shown:
1) End animation glitch (can apparently be done on Stage 1 as well)
2) Stage 2 screen warp glitch (doesn't save time unless there's a way to glitch through the right platform without dying)
3) Glitching through platform (easy to do in Stage 3)
Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
Yeah, you don't have to go around to the left side of the vine like I did in the video, you can do the TAS trick of jumping backwards. As long as you're facing left when you hit the vine the zip will occur.
Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
If you play the TAS file back to the point where you want to continue editing from, you can switch to read+write mode, then make a save state and then load it.
Experienced Forum User, Published Author, Active player
(418)
Joined: 3/11/2012
Posts: 119
Yeah, on closer inspection a lot of the hits in the list really were false positives.
I still think this has potential but I have to be more intelligent about how I do it. For example I was previously attempting to use regular expressions that identified the memory address containing input based on its proximity to a load from $4016, put it into a capture group, & looked for another function that isolated directional data & transferred it to X or Y (for indexing from a table).
My "holy grail" was to find a case where the game indexed a jump table with this data, & therefore I could get it to jump to a glitched address which could potentially be leveraged into an ending skip or even ACE. But I'm not sure such a glitch exists in any NES games.
Kles wrote:
If you can load the code into IDA or some other visual disassembler (I haven't used any other ones; sorry), you can get a list of code that links to it. I've never tried to disassemble SNES games using IDA, though, so I dunno how much of a pain in the ass it is to load. I think gocha wrote something to make it easier? https://github.com/gocha/ida-snes-ldr
Yeah the disassembly methods I've been doing are probably super inefficient. I don't use any kind of disassembler or even bother to assign symbols to anything in the emulator debugger. I probably need to learn how to rewrite everything as an annotated .asm file if I want it to be useful to other people.
Edit: there are actually two spots I see where it work to save time:
